The U.S. Department of Justice has accused Chinese military personnel of hacking into the computer systems of Equifax, a credit reporting agency, in 2017.
The indictment alleges four members of China’s People’s Liberation Army (PLA) engaged in a three-month-long campaign to steal personal information of approximately 145 million Americans, and valuable trade secrets of the company, namely its data compilations and database designs.
Wu Zhiyong, Liu Lei, Xu Ke, and Wang Qian were members of the PLA’s 54th Research Institute, which is a component of the military of China. The four accused allegedly conspired with each other to hack into the computer networks of Equifax, maintain unauthorized access to those systems, and steal personal information of around 145 million American victims, The U.S. Department of Justice noted in a press release today.
The investigation was carried out jointly by the U.S. Attorney’s Office for the Northern District of Georgia, FBI’S Atlanta Field Office, and the Criminal and National Security Divisions of the Department of Justice. The FBI’s Cyber Division also provided support.
“This was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” said U.S. Attorney General William P. Barr who made the announcement.
The indictment states that the defendants took advantage of a vulnerability in the Apache Struts Web Framework software used by the online dispute portal of Equifax. This access was used by the defendants to reconnaissance the portal as well as to get hold of the login credentials that could be used for further navigation of Equifax’s network.
“The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens,” read the press release.
The indictment also states that the defendants routed traffic through around 34 servers located in approximately 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and wiped log files and deleted compressed files on a daily basis for eliminating records of their activity.
The defendants were charged with three counts of conspiracy to commit wire fraud, conspiracy to commit computer fraud, and conspiracy to commit economic espionage. In addition, they have also been charged with two counts of unauthorized access and intentional damage to a protected computer, three counts of wire fraud, and one count of economic espionage.
“Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” said Barr.
These are just allegations, and the defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.